In puppet 4 AIO packaging, it's the `puppetserver` package that creates a `puppet` user and group.
The `puppet-agent` package doesn't create the group and unless `puppetserver` is also installed the ssl keys and certs are owned by `root:root` and are not readable by the foreman proxy. (It's the installation of `puppetserver` that chowns the ssldir to `puppet:puppet`)
With this commit, the module ensures that the `puppet_group` group exists even on puppet 4. It also makes sure the ssl_key/cert/ca files and parent directories are group owned by the `puppet_group`
The change is hopefully quite conservative. Only if both `$puppet` and `$puppetca` are false and `$ssl` is true will it have any effect. By default, it also only applies to puppet 4 and can be turned off completely by setting `manage_puppet_group` to `false`.
Added by Alex Fisher almost 8 years ago
Ensure the `puppet` group exists
In puppet 4 AIO packaging, it's the `puppetserver` package that creates
a `puppet` user and group.
The `puppet-agent` package doesn't create the group and unless
`puppetserver` is also installed the ssl keys and certs are owned by
`root:root` and are not readable by the foreman proxy. (It's the
installation of `puppetserver` that chowns the ssldir to
`puppet:puppet`)
With this commit, the module ensures that the `puppet_group` group
exists even on puppet 4. It also makes sure the ssl_key/cert/ca files
and parent directories are group owned by the `puppet_group`
The change is hopefully quite conservative. Only if both `$puppet` and
`$puppetca` are false and `$ssl` is true will it have any effect.
By default, it also only applies to puppet 4 and can be turned off
completely by setting `manage_puppet_group` to `false`.
Users who already manage the creation of the puppet group, (for instance
to workaround https://tickets.puppetlabs.com/browse/SERVER-1381) are
further protected by the `if !defined`.